New data protection legislation in many countries has gotten a lot of attention in recent years. But we hear less about what happens after these laws are passed. Although the substance of new data protection laws is important, implementation is where the rubber meets the road. Any new law is only as good as the implementing capabilities of regulators and providers, so it’s important to take those capabilities into consideration when developing the law’s provisions, subsequent rules and institutional structures that must be put in place to bring it to life.
This point was underscored in a recent policy brief issued by the Future of Finance Initiative at Dvara Research that provides a blueprint for actions that will need to be taken by India’s central government and the new Data Protection Authority (DPA) that will be created after passage of the Personal Data Protection Bill. In total, the government and the DPA will need to address at least 82 action points to implement the new law. This observation begs the question: will regulators have the capacity needed to implement and enforce this new law?
Bridging a Gap of Understanding and Interpretation
As mentioned in the introductory blog post to this series, a common theme that surfaced during interviews we conducted last year with various data protection stakeholders in India, Ghana and Peru (as part of a Credit Suisse Global Citizens volunteer project) is that there is a gap that needs to be bridged between governments and providers on the issue of data protection.
For example, in Ghana, which has had a data protection law in place since 2012, any entity that handles personal data must register with the country’s Data Protection Commission as either a data controller or a data processor. However, according to Elorm Allavi, founder of SyeComp, an agricultural intelligence tech startup, it’s not necessarily clear which classification to register under and what the implications may be for the registration fees to be paid. He also described the data protection requirements as being “very one sided” and expressed a desire for the Bank of Ghana and data protection regulators to take steps to better comprehend the changing digital landscape and how fintechs use data. He felt that their lack of understanding limits their ability to assess the risks and can lead to unwarranted regulations.
On the government side, we’re grateful to Clarissa Kudowor at the Bank of Ghana (BoG) for providing a written response to some of the questions we had submitted regarding the overall legal and regulatory environment around data, as well as the BoG’s new Cyber & Information Security Directive. In her response, she recognized the need for innovation in financial services and the role of proportionate regulations and regulatory sandboxes in helping to create an enabling regulatory environment. But despite this enabling spirit, there was also a clear undertone throughout her remarks that compliance with the provisions of the law is paramount, though there was no mention of any specific engagement with providers that would help to facilitate that compliance. Moreover, Ms. Kudowor had to refer some of our questions to the Data Protection Commission, which sits within the Ministry of Communications. This was understandable, since Ghana’s data protection law applies to all sectors and not just the financial sector, but our efforts to get a response from the commission weren’t successful. This perhaps was indicative of the kinds of concerns providers often express about having multiple regulators to answer to.
We encountered similar concerns in Peru, where Mariano Fuentes, a Legal Advisor with ASBANC, the association of private financial institutions in Peru, told us about five member banks that were appealing sanctions by the National Data Protection Authority (NDPA) over differences in interpretation of consent requirements, suggesting a lack of regulatory clarity. Raising a separate concern, Elias Vargas, Head of Market Conduct Supervision at SBS (the Peruvian banking superintendent), spoke about overlaps in the mandates of the SBS and the NDPA and suggested that in some cases the SBS may be better positioned than the NDPA, which resides in the Ministry of Justice, to provide oversight of the financial sector on certain data protection issues. And in India, where the new data protection bill is looming large, Tejamoy Gosh, Head of Data Science and Artificial Intelligence with Aye Finance, also emphasized the need for regulatory clarity when he said that he would like to see “a list of ‘don’ts’ rather than a list of ‘dos,’ so we can be sure of what not to do absolutely.”
Provider and Other Stakeholder Capacity Needed, Too
All of the above issues are reflective of the enormous complexity of data, which brings us full circle to the need for policymakers and regulators to take capacity into account when designing and implementing new data protection frameworks. This doesn’t mean just regulatory capacity, but also provider capacity. In order to do this, it’s important for those doing the regulating to consult with those who will be regulated throughout the policymaking process so that all data protection stakeholders can be set up for success. Based on the feedback we obtained through the interviews described above, it appears that much more deliberate action is needed to make this happen.
It’s important for those doing the regulating to consult with those who will be regulated.
As noted by the team at the Future of Finance Initiative at Dvara Research, “Developing robust and timeless regulation will require collaboration between regulators, entities processing data, civil society, researchers and technologists.” We couldn’t agree more. As our interviews showed, there’s a divide between regulators and providers that intentional and ongoing collaboration can help to bridge. They also suggest that governments need to do more to ensure that regulatory bodies not only have the technical expertise to deal with data issues writ large, but also the sectoral expertise to be able to effectively deal with data issues that are specific to each sector. Designing and implementing data protection frameworks is no small task, and governments should do all they can to enlist the support of external stakeholders to develop frameworks that truly set everyone up for success.